WO2015061992A1 - 一种密钥配置方法、系统和装置 - Google Patents

一种密钥配置方法、系统和装置 Download PDF

Info

Publication number
WO2015061992A1
WO2015061992A1 PCT/CN2013/086247 CN2013086247W WO2015061992A1 WO 2015061992 A1 WO2015061992 A1 WO 2015061992A1 CN 2013086247 W CN2013086247 W CN 2013086247W WO 2015061992 A1 WO2015061992 A1 WO 2015061992A1
Authority
WO
WIPO (PCT)
Prior art keywords
key
shared
shared key
information
configuration
Prior art date
Application number
PCT/CN2013/086247
Other languages
English (en)
French (fr)
Chinese (zh)
Inventor
庞高昆
丁志明
Original Assignee
华为终端有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为终端有限公司 filed Critical 华为终端有限公司
Priority to EP13896341.8A priority Critical patent/EP3065334A4/de
Priority to KR1020167014319A priority patent/KR20160078475A/ko
Priority to CA2929173A priority patent/CA2929173A1/en
Priority to PCT/CN2013/086247 priority patent/WO2015061992A1/zh
Priority to AU2013404506A priority patent/AU2013404506A1/en
Priority to JP2016550902A priority patent/JP2016540462A/ja
Priority to CN201380080528.8A priority patent/CN105723648B/zh
Publication of WO2015061992A1 publication Critical patent/WO2015061992A1/zh
Priority to US15/143,204 priority patent/US20160269176A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/083Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/061Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • H04L9/0841Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/085Secret sharing or secret splitting, e.g. threshold schemes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • H04L9/0863Generation of secret information including derivation or calculation of cryptographic keys or passwords involving passwords or one-time passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/14Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/04Key management, e.g. using generic bootstrapping architecture [GBA]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/50Secure pairing of devices
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/80Wireless
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/69Identity-dependent
    • H04W12/77Graphical identity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W4/00Services specially adapted for wireless communication networks; Facilities therefor
    • H04W4/80Services using short range communication, e.g. near-field communication [NFC], radio-frequency identification [RFID] or low energy communication

Definitions

  • the present invention relates to the field of network communication technologies, and in particular, to a key configuration method, system, and apparatus.
  • WiFi Wireless Fidelity, wireless fidelity technology has been promoted by the WiFi alliance formed by many industry-leading companies since the release of the IEEE 802.11 wireless LAN standard in 1997. At the same time, it has rapid deployment, convenient use and high transmission rate. Advantages, rapid development. WiFi technology is now widely used in various industries, now laptops, PDAs (Personal Digital WiFi technology is supported by Assistant, Pocket PC and mobile phones. The access points of WiFi networks are spread throughout hotels, cafes, schools and hospitals. It can be said that WiFi technology is ubiquitous in life.
  • WPA Wi-Fi Protected Access
  • WiFi security access is a security technology used in WiFi, it requires the user to set Credential (trust, Including the account name, password) and other parameters related to WPA, such as encryption algorithms, etc., but when the user does not understand the meaning of these parameters, so they do not know how to set these parameters, thus hindering the application of WPA security technology, which Users will choose to use the network without security protection because they do not know how to set WPA parameters.
  • WPS WiFi Protected Setup, Wifi security is built to help users set the trust technology. WPS mainly emphasizes two points: security and simplicity, that is, the configuration process is simple, and the configured network should be secure.
  • the existing WPS is mainly based on a key exchange algorithm to prevent certain attacks such as eavesdropping and dictionary attacks.
  • the WPS application scenarios mainly include the following two types: the first one is an enrollee (registered party) terminal and the WiFi network as a registrar (register) (AP)
  • the second is P2P (Peer to Peer, point-to-point authentication configuration process in the scene, P2P in WiFi technology is researched to enable end-to-end direct discovery via WiFi function between terminal devices without infrastructure such as cellular or hotspots.
  • one terminal acts as the client (client) and the other terminal acts as the GO (Group) Owner, the device of the leader), the key is configured between the client and the GO, so that the subsequent client and the GO can perform data interaction based on the configured key.
  • client client
  • GO Group Owner
  • WiFi technology is gradually being applied to new fields such as smart grid, sensor network, medical network, etc.
  • a large number of WiFi devices are headless devices (Headless) Devices), the so-called headless devices are devices that do not have a display screen, no keyboard, no human-machine interface such as near-field communication, and the connection between these headless devices requires a third-party configuration device, for example, by configuring the device. Connect the AP to the set-top box, or connect the sensor to the sensor by configuring the device, and so on.
  • the key configuration between the two devices is as follows:
  • the configuration device scans the two-dimensional code on the first device, acquires the password information of the first device included in the two-dimensional code, and scans the two-dimensional code on the second device to obtain the two-dimensional code.
  • the password information of the second device the configuration device performs a WPS interaction process with the first device based on the password information of the first device, generates a key key1, encrypts the key1 by using the password information of the first device, and sends the key1 to the first device;
  • the configuration device performs a WPS interaction process with the second device based on the password information of the second device, generates a key key2, encrypts the key2 by using the password information of the second device, and sends the key2 to the second device.
  • the first device and the second device perform a secure connection based on key1 and key2, that is, based on key1 and key2.
  • the password information of the first device and the second device are in an open state, and are easily obtained by illegally, that is, any third-party device can obtain and generate a key, and then send the key to the first device and the second device. In this way, it is easy to eavesdrop on the interaction between the first device and the second device, and the security is poor.
  • the embodiment of the present invention provides a key configuration method, system, and device based on a third-party configuration device, so as to improve the security of interaction between the first device and the second device.
  • an embodiment of the present invention provides a key configuration method, where the key configuration method includes:
  • the second device generates the first shared key by using its own private key and the information for obtaining the first shared key, the first shared key being used for the first device and the A secure connection between the second device.
  • the first device by using a public key of the second device, to send information for obtaining the first shared key to the second device, includes: the first device Generating a password, using the password as a first shared key, encrypting the password by using a public key of the second device to obtain an encryption result, and transmitting the encryption result to the second device;
  • the generating, by the second device, the first shared key by using its own private key and information for obtaining the first shared key includes: the second device decrypting the encrypted result by using its own private key Obtaining the password, using the password as a first shared key; or
  • the first device generates a first shared key, and the information about the first shared key is sent to the second device by using the public key of the second device, where the first device generates a password, and the second device is used.
  • the public key of the device encrypts the password to obtain an encryption result, and sends the encryption result to the second device, and generates a derivative key for the password by using a key derivation algorithm, and uses the derived key as the first share.
  • the generating, by the second device, the first shared key by using its own private key and information for obtaining the first shared key includes: the second device decrypting the encrypted result by using its own private key Obtaining the password, generating a derivative key for the password by using the key derivation algorithm, and using the derived key as the first shared key.
  • the first device generates a first shared key, and sends, by using a public key of the second device, information for obtaining the first shared key to the second device.
  • the method includes: generating, by the first device, a random value, using the information agreed by the first device and the second device, and generating the first shared key by using the random value, and encrypting the random value by using the public key of the second device, and encrypting The result is sent to the second device;
  • the generating, by the second device, the first shared key by using its own private key and information for obtaining the first shared key includes: the second device decrypting the encrypted result by using its own private key Obtaining the random value, and generating the first shared key by using information agreed by the first device and the second device and the random value.
  • the sending, by using the public key of the second device, information for obtaining the first shared key to the second device includes: the first After the device encrypts the public key of the first device by using the public key of the second device, the device sends the encrypted result to the second device.
  • the generating, by the second device, the first shared key by using the private key of the second device and the information for obtaining the first shared key comprises: the second device using the private key of the second device to encrypt the result After the decryption is performed, the public key of the first device is obtained, and a password is generated, and the password is used as the first shared key;
  • the method further includes: receiving, by the first device, the encryption result after the second device encrypts the password by using the public key of the first device, and decrypting the received encryption result by using the private key of the first device, The password is used as the first shared key.
  • the method further includes: the first device and the second device are configured to perform a key exchange algorithm;
  • the first device generates a first shared key by using the public key of the second device, and the information for obtaining the first shared key is sent to the second device, where the first device uses the public key of the second device and The private key of the first device generates a first shared key according to the key exchange algorithm, and sends the public key of the first device to the second device;
  • the generating, by the second device, the first shared key by using the private key of the second device and the information for obtaining the first shared key includes: the second device uses the private key of the second device and the first device The public key generates a first shared key in accordance with the key exchange algorithm.
  • the first device and the second device predetermined key exchange algorithm include:
  • the first device and the second device are pre-configured with parameters used by the key exchange algorithm; or
  • the first possible implementation of the first aspect, the second possible implementation of the first aspect, the third possible implementation of the first aspect, the fourth possible aspect of the first aspect The implementation manner or the fifth possible implementation manner of the first aspect, in a sixth possible implementation, the first shared key is used for a secure connection between the first device and the second device include:
  • the first device After obtaining the first shared key, the first device generates a credential, and encrypts the credential by using the first shared key or the derived key of the first shared key, and sends the encrypted result to the first a device for decrypting the encryption result by using the obtained first shared key or a derived key of the first shared key to obtain the credential, the credential being used by the first device and a secure connection between the second devices; or,
  • the first device decrypts the encrypted result of the credential sent by the second device by using the obtained first shared key or the derived key of the first shared key to obtain the credential, and the credential encryption
  • the result is that the second device generates a credential after obtaining the first shared key, and obtains the credential by using the first shared key or the derived key of the first shared key, and the trust is obtained. Formed for a secure connection between the first device and the second device.
  • the first device if the first device is a registrar Registrar, a central node, or a group leader device GO, the first device generates The credential and transmitting the encrypted result of the credential to the second device;
  • the second device if the second device is a Registrar, a central node, or a GO, the second device generates the credential and sends the encrypted result of the credential to the first device.
  • the public key of the second device sent by the first device receiving configuration device after acquiring the public key of the second device is specifically:
  • the method further includes: the first device decrypting the encryption result to obtain a public key of the second device.
  • the public key of the second device sent by the first device receiving configuration device after acquiring the public key of the second device is specifically:
  • the method also includes:
  • the public key of the second device is obtained.
  • the establishing, by the first device, the security connection to the configuration device to generate the second shared key includes:
  • the first device and the configuration device share a credential by establishing a WPS interaction mode by using a wireless fidelity security, and using the credential as the second shared key;
  • a shared key after the configuration device acquires the public key of the first device, and generates the second share according to a pre-agreed key exchange algorithm by using the public key of the first device and its own private key. Key.
  • the method further includes: A device generates a new public key and a new private key;
  • the public key of the first device sent by the first device to the second device is the new public key; the public key of the first device used by the second device when generating the first shared key And being the new public key; the private key of the first device utilized by the first device when generating the first shared key is the new private key.
  • the first device is a registered party enrollee
  • the second device is a registrar, or the first device is a client client, the second device is a GO, or the first device is a wireless terminal, the second device is an access point, or the A device is a central node and the second device is a sensor node.
  • the method further includes: the first device according to the first The channel information of the second device quickly discovers the second device to perform the step of transmitting the information used to obtain the first shared key to the second device, where the channel information of the second device is The second device acquires and sends the information to the first device.
  • any one of the first to thirteenth possible implementation manners of the first aspect in the fourteenth possible implementation manner, the configuring device scans the two-dimensional code and the universal string
  • the method of row bus USB or near field communication acquires information from the first device or the second device.
  • the method further includes: the first device utilization Generating a verification value for the public key of the second device, and sending the verification value to the second device;
  • the second device verifies the received verification value by using its own public key before generating the first shared key, and if the verification is passed, the step of generating the first shared key is performed.
  • an embodiment of the present invention provides a key configuration method, where the key configuration method includes:
  • the configuration device acquires a public key of the second device, and sends the public key of the second device to the first device;
  • the first device transmits information for obtaining the first shared key to the second device by using the public key of the second device; or for the first device to utilize the public key of the second device Generating a first shared key, and sending information for obtaining the first shared key to the second device;
  • the second device generates the first shared key by using its own private key and the information for obtaining the first shared key, the first shared key being used for the first device and the A secure connection between the second device.
  • the first device by using the public key of the second device, to send information for obtaining the first shared key to the second device, includes: A device generates a password, the password is used as a first shared key, and the password is encrypted by using the public key of the second device to obtain an encryption result, and the encryption result is sent to the second device;
  • the generating, by the second device, the first shared key by using its own private key and information for obtaining the first shared key includes: the second device decrypting the encrypted result by using its own private key Obtaining the password, using the password as a first shared key; or
  • the first device generates a first shared key, and the information for obtaining the first shared key is sent to the second device by using the public key of the second device, so that the first device generates a password, by using the The public key of the second device encrypts the password to obtain an encryption result, and sends the encryption result to the second device, and generates a derivative key for the password by using a key derivation algorithm, and the derivative key is used as the first a shared key;
  • the generating, by the second device, the first shared key by using its own private key and information for obtaining the first shared key includes: the second device decrypting the encrypted result by using its own private key Obtaining the password, generating a derivative key for the password by using the key derivation algorithm, and using the derived key as the first shared key.
  • the first device generates a first shared key, and uses the public key of the second device to send information for obtaining the first shared key to the second
  • the device includes: generating, by the first device, a random value, using the information agreed by the first device and the second device, and generating the first shared key by using the random value, and encrypting the random value by using the public key of the second device, Sending the encrypted result to the second device;
  • the generating, by the second device, the first shared key by using its own private key and information for obtaining the first shared key includes: the second device decrypting the encrypted result by using its own private key Obtaining the random value, and generating the first shared key by using information agreed by the first device and the second device and the random value.
  • the sending, by the first device, the information used to obtain the first shared key to the second device by using the public key of the second device includes: After the first device encrypts the public key of the first device by using the public key of the second device, and sends the encryption result to the second device;
  • the generating, by the second device, the first shared key by using the private key of the second device and the information for obtaining the first shared key comprises: the second device using the private key of the second device to encrypt the result After decrypting, obtaining the public key of the first device, and generating a password, and encrypting the password, and transmitting the encryption result to the first device;
  • the first device After the first device decrypts the received encryption result by using its own private key, the obtained password is used as the first shared key.
  • the method further includes: the first device and the second device are configured to perform a key exchange algorithm;
  • the first device generates the first shared key by using the public key of the second device, and the information for obtaining the first shared key is sent to the second device, so that the first device uses the public device of the second device.
  • the key and the private key of the first key are generated according to the key exchange algorithm, and the public key of the first device is sent to the second device;
  • the generating, by the second device, the first shared key by using the private key of the second device and the information for obtaining the first shared key includes: the second device uses the private key of the second device and the first device The public key generates a first shared key in accordance with the key exchange algorithm.
  • the first device and the second device, the predetermined shared key exchange algorithm include:
  • the first device and the second device are pre-configured with parameters used by the key exchange algorithm; or
  • the configuration device sends parameters used by the key exchange algorithm to the first device and the second device.
  • the configuration device acquires a public key of the first device
  • the sending, by the configuration device, the public key of the second device to the first device includes: the configuration device encrypting a public key of the second device by using a public key of the first device, and sending the encryption result to the a first device; wherein the first device decrypts the encryption result to obtain a public key of the second device.
  • the method further includes: the configuring device and the first The device establishes a secure connection to generate a second shared key;
  • Sending the public key of the second device to the first device includes: after the configuration device encrypts the public key of the second device by using the second shared key, sending the encryption result to the first And obtaining, by the first device, the public key of the second device after decrypting the received encryption result by using the second shared key.
  • the establishing, by the configuration device, the secure connection with the first device to generate the second shared key includes:
  • the configuration device shares a credential with the first device in a WPS interaction manner, and uses the credential as the second shared key;
  • the configuration device sends its own public key to the first device, and the configuration device and the first device respectively generate the first according to a pre-agreed key exchange algorithm by using a public key of the opposite party and a private key thereof. Two shared keys.
  • the first device is a registered party enrollee, the first The second device is a registrar, or the first device is a client client, the second device is a GO, or the first device is a wireless terminal, the second device is an access point, or the first device Is the central node, and the second device is a sensor node.
  • the method further includes: the configuring device acquiring the second device And the channel information is sent to the first device, so that the first device quickly discovers the second device according to the channel information of the second device, to send the information that is used to obtain the first shared key to the first device.
  • the configuring device acquiring the second device And the channel information is sent to the first device, so that the first device quickly discovers the second device according to the channel information of the second device, to send the information that is used to obtain the first shared key to the first device.
  • any one of the first to the tenth possible implementation manners of the second aspect in the eleventh possible implementation manner, the configuring device scans the two-dimensional code, the universal serial The manner of bus USB or near field communication acquires information from the first device or the second device.
  • an embodiment of the present invention provides a key configuration method, where the method includes:
  • the second device provides the public key of the second device to the configuration device, so that the configuration device sends the public key of the second device to the first device;
  • the second device generates the first shared key by using its own private key and the information for obtaining a first shared key, where the first shared key is used by the first device and the first A secure connection between the two devices.
  • the receiving, by the second device, the information that is sent by the first device by using the public key of the second device to obtain the first shared key includes: Receiving, by the second device, an encryption result sent by the first device, where the encryption result is that the first device generates a password, using the password as a first shared key, and using the public key of the second device to The password is encrypted;
  • the generating, by the second device, the first shared key by using the private key of the second device and the information for obtaining the first shared key includes: the second device decrypting the encrypted result by using the private key of the second device The password, the password is used as the first shared key; or
  • the receiving, by the second device, the information that is sent by the first device by using the public key of the second device, for obtaining the first shared key includes: the second device receiving the encryption result sent by the first device, where The result of the encryption is that after the first device generates a password, the password is encrypted by using the public key of the second device;
  • the generating, by the second device, the first shared key by using the private key of the second device and the information for obtaining the first shared key includes: the second device decrypting the encrypted result by using the private key of the second device Decoding a password, using the key derivation algorithm to generate a derived key for the password, and using the derived key as the first shared key.
  • the receiving, by the second device, the information that is sent by the first device by using the public key of the second device, for obtaining the first shared key includes: The second device receives the encryption result sent by the first device, where the encryption result is that the first device generates a random value, and the random value is obtained by using a public key of the second device, where the first device is obtained. Generating a first shared key by using the information agreed by the first device and the second device and the random value;
  • the generating, by the second device, the first shared key by using the private key of the second device and the information for obtaining the first shared key includes: the second device decrypting the encrypted result by using the private key of the second device
  • the random value is generated by using the information agreed by the first device and the second device and the random value to generate the first shared key.
  • the receiving, by the second device, the information that is sent by the first device by using the public key of the second device to obtain the first shared key includes: Receiving, by the second device, an encryption result obtained by encrypting, by using the public key of the second device, the public key of the first device;
  • the generating, by the second device, the first shared key by using the private key of the second device and the information for obtaining the first shared key includes: the second device decrypting the encrypted result by using a private key of the second device After obtaining the public key of the first device, generating a password, using the password as the first shared key, encrypting the password by using the public key of the first device, and transmitting the encryption result to the first a device
  • the first device After the first device decrypts the received encryption result by using its own private key, the obtained password is used as the first shared key.
  • the method further includes: the second device and the first device, a predetermined key exchange algorithm
  • the sent information for obtaining the first shared key includes: the second device receiving the first device to use The public key of the first device sent by the public key of the second device and the private key of the second device after the first shared key is generated according to the key exchange algorithm;
  • the generating, by the second device, the first shared key by using its own private key and information for obtaining the first shared key includes: the second device uses its own private key and the public key of the first device A first shared key is generated in accordance with the key exchange algorithm.
  • the second device and the first device predetermined key exchange algorithm include:
  • the second device and the first device are pre-configured with parameters used by the key exchange algorithm;
  • the second device and the first device receive parameters used by the key exchange algorithm sent by the configuration device.
  • the first shared key is used by the first device
  • the secure connection with the second device includes:
  • the second device receives the encryption result sent by the first device, where the encryption result is that the first device generates a credential after obtaining the first shared key, and uses the first shared key or the first shared key. And obtaining, by the second device, the encryption result by using the obtained first shared key or the derived key of the first shared key to obtain the credential, the credential Used for a secure connection between the first device and the second device; or
  • the second device After obtaining the first shared key, the second device generates a credential, and encrypts the credential by using the first shared key or the derived key of the first shared key, and sends the encrypted result to the first a device for decrypting the encryption result by using the obtained first shared key or a derived key of the first shared key to obtain the credential, the credential being used for the first device and A secure connection between the second devices.
  • a seventh possible implementation if the first device is a registrar Registrar, a central node, or a group leader device GO, generated by the first device The credential and transmitting the encrypted result of the credential to the second device;
  • the second device if the second device is a Registrar, a central node, or a GO, the second device generates the credential and sends the encrypted result of the credential to the first device.
  • any one of the first to the seventh possible implementation manners of the third aspect, in the eighth possible implementation manner, the method further includes:
  • the second device provides its own channel information to the configuration device, so that the configuration device sends channel information of the second device to the first device; so that the first device is configured according to channel information of the second device. Quickly discovering the second device to perform the step of transmitting information for obtaining the first shared key to the second device.
  • any one of the first to the eighth possible implementation manners of the third aspect, in the ninth possible implementation manner, the second device or the first device The method of code, USB or near field communication is for the configuration device to obtain information.
  • any one of the first to the ninth possible implementation manners of the third aspect in the tenth possible implementation manner, the method further includes:
  • the second device receives the verification value generated by the first device by using the public key of the second device, and the second device uses the public key of the second device to verify the received verification value, and if the verification passes, the execution is performed.
  • the step of generating the first shared key is performed.
  • the key configuration apparatus includes:
  • a receiving unit configured to receive a public key of the second device that is sent by the configuration device after acquiring the public key of the second device
  • a key processing unit configured to send information for obtaining the first shared key to the second device by using a public key of the second device; or generate a first shared secret by using a public key of the second device And transmitting, by the key, information for obtaining the first shared key to the second device; so that the second device generates, by using the private key of the second device and the information for obtaining the first shared key a first shared key, the first shared key being used for a secure connection between the first device and the second device.
  • the key processing unit is specifically configured to generate a password, use the password as a first shared key, and use the public key of the second device to Encrypting the password to obtain an encryption result, and transmitting the encryption result to the second device, so that the second device decrypts the encryption result by using its own private key to obtain the password, and the password is used as the first a shared key; or,
  • the key processing unit is configured to generate a password, encrypt the password by using a public key of the second device to obtain an encryption result, and send the encryption result to the second device, using a key derivation algorithm.
  • the algorithm generates a derived key for the password, and uses the derived key as the first shared key.
  • the key processing unit is specifically configured to generate a random value, and generate a first shared key by using information agreed by the first device and the second device and the random value. After encrypting the random value by using the public key of the second device, sending the encrypted result to the second device, so that the second device decrypts the encrypted result by using its own private key to obtain the random value, and utilizes The information agreed by the first device and the second device and the random value generate the first shared key.
  • the key processing unit is specifically configured to: after the public key of the second device is encrypted by using the public key of the second device, send the encrypted result to the second
  • the device receives the encryption result sent by the second device, and the encryption result is that the second device decrypts the received encryption result by using its own private key, obtains the public key of the first device, and generates a password.
  • the password is used as the first shared key, using the public key of the first device to encrypt the password; and using the private key of the user to decrypt the received encryption result, the obtained password is obtained.
  • the first shared key As the first shared key.
  • the key processing unit is specifically configured to use the public key of the second device and the private key of the second device to be scheduled according to the first device and the second device.
  • Key exchange algorithm generates a first shared key, and sends the public key of the first device to the second device, so that the second device uses its own private key and the public key of the first device according to the
  • the key exchange algorithm generates a first shared key.
  • the key processing unit is pre-configured with parameters used by the key exchange algorithm
  • the configuration receiving unit is further configured to receive a parameter used by the key exchange algorithm sent by the configuration device, and provide the parameter to the key processing unit.
  • the key configuration apparatus further includes:
  • a secure connection unit configured to generate a credential after the first shared key is obtained by the key processing unit, and encrypt the credential by using the first shared key or the derived key of the first shared key, and then Sending the encrypted result to the second device; so that the second device decrypts the encrypted result by using the obtained first shared key or the derived key of the first shared key to obtain the credential, and the credential is used by the credential a secure connection between the first device and the second device; or a credential sent to the second device by using the obtained first shared key or a derived key of the first shared key
  • the encryption result is decrypted to obtain the credential, and the encryption result of the credential is that the second device generates a credential after obtaining the first shared key, and uses the first shared key or the first shared key.
  • the derived key is obtained by encrypting the credential, and the credential is used for a secure connection between the first device and the second device.
  • the configuration receiving unit is specifically configured to receive the configuration device An encryption result sent after the public key of the second device and the public key of the first device, the encryption result being that the configuration device encrypts the second device by using the public key of the first device Public key
  • the key processing unit is further configured to decrypt the encryption result to obtain a public key of the second device.
  • the configuration receiving unit is specifically configured to be used with the configuration device Establishing a secure connection to generate a second shared key; receiving an encryption result sent by the configuration device after acquiring the public key of the second device, where the encryption result is encrypted by the configuration device by using the second shared key a public key of the second device;
  • the key processing unit is further configured to: after decrypting the received encryption result by using the second shared key, obtain a public key of the second device.
  • the configuration receiving unit when the configuration receiving unit establishes a secure connection with the configuration device to generate a second shared key, specifically The configuration device establishes a WPS interaction mode to share the credential by using the wireless fidelity security, and uses the credential as the second shared key; or, specifically, receives the public key of the configuration device sent by the configuration device, where the A device generates the second shared key according to a pre-agreed key exchange algorithm using the public key of the configuration device and its own private key.
  • the key processing unit is further configured to generate a new public key and New private key;
  • the public key of the first device sent by the first device to the second device is the new public key; the public key of the first device used by the second device when generating the first shared key And being the new public key; the private key of the first device utilized by the first device when generating the first shared key is the new private key.
  • the first device is a registered party enrollee
  • the second device is a registrar, or the first device is a client client, the second device is a GO, or the first device is a wireless terminal, the second device is an access point, or the first device
  • the device is a central node and the second device is a sensor node.
  • the configuration receiving unit is further configured to receive the Configuring, by the device, the channel information of the second device that is sent after being acquired by the second device;
  • the key processing unit quickly discovers the second device according to the channel information of the second device to perform the operation of transmitting the information for obtaining the first shared key to the second device.
  • the key processing unit is further used to utilize the Generating a verification value of the second device, sending the verification value to the second device; so that the second device uses the public key pair of the second device before generating the first shared key The verification value is verified, and in the case where the verification is passed, the operation of generating the first shared key is performed.
  • the key configuration apparatus includes:
  • An information acquiring unit configured to acquire a public key of the second device
  • An information sending unit configured to send the public key of the second device to the first device
  • the first device transmits information for obtaining the first shared key to the second device by using the public key of the second device; or for the first device to utilize the public key of the second device Generating a first shared key, and sending information for obtaining the first shared key to the second device;
  • the second device generates the first shared key by using its own private key and the information for obtaining the first shared key, the first shared key being used for the first device and the A secure connection between the second device.
  • the information sending unit is further configured to send a parameter used by a key exchange algorithm to the first device and the second device, the secret
  • the key exchange algorithm is used by the first device and the second device to generate a first shared key according to the key exchange algorithm using its own private key and the public key of the counterpart.
  • the information acquiring unit is further configured to acquire a public key of the first device
  • the information sending unit is configured to encrypt the public key of the second device by using a public key of the first device, and send the encryption result to the first device, so that the first device performs the encryption result. Decrypting is performed to obtain the public key of the second device.
  • the information sending unit is further configured to establish a secure connection with the first device to generate a second share. a key; when the public key of the second device is sent to the first device, the public key of the second device is specifically encrypted by using the second shared key, and the encryption result is sent to the first a device, such that the first device decrypts the received encryption result by using the second shared key, and obtains a public key of the second device.
  • the information sending unit is specifically used when establishing a secure connection with the first device to generate a second shared key. Sharing the credential with the first device in a WPS interaction manner, using the credential as the second shared key; or transmitting its own public key to the first device, using the public key of the first device And generating the second shared key according to a pre-agreed key exchange algorithm with its own private key.
  • the information acquiring unit is further configured to acquire the second device Channel information
  • the information sending unit is further configured to send the channel information of the second device to the first device, so that the first device quickly discovers the second device according to channel information of the second device, to execute the An operation of transmitting information for obtaining the first shared key to the second device.
  • the information acquiring unit is specifically configured to scan the two-dimensional code
  • the method of universal serial bus USB or near field communication acquires information from the first device or the second device.
  • the key configuration apparatus includes:
  • An information providing unit configured to provide a public key of the second device to the configuration device, so that the configuration device sends the public key of the second device to the first device;
  • An information receiving unit configured to receive information used by the first device to obtain a first shared key by using a public key of the second device, or receive information that the first device uses the second device After the key generates the first shared key, the information sent to obtain the first shared key is sent;
  • a key processing unit configured to generate the first shared key by using a private key thereof and the information used to obtain the first shared key, where the first shared key is used by the first device and the A secure connection between the second devices.
  • the information receiving unit is configured to receive an encryption result sent by the first device, where the encryption result is that the first device generates a password, The password is used as the first shared key, and the password is encrypted by using the public key of the second device;
  • the key processing unit is specifically configured to decrypt the encryption result by using a private key of the user to obtain the password, and use the password as the first shared key; or
  • the information receiving unit is configured to receive an encryption result sent by the first device, where the encryption result is that after the first device generates a password, the password is encrypted by using a public key of the second device. of;
  • the key processing unit is specifically configured to decrypt the encryption result by using a private key of the user to obtain the password, and generate a derivative key for the password by using the key derivation algorithm, and use the derived key as a The first shared key is described.
  • the information receiving unit is specifically configured to receive an encryption result sent by the first device, where the encryption result is that the first device generates a random value, and the The public key of the second device is obtained by encrypting the random value, and the first device generates the first shared key by using the information agreed by the first device and the second device and the random value;
  • the key processing unit is configured to decrypt the encryption result by using a private key of the first device to obtain the random value, and generate the first information by using information agreed by the first device and the second device and the random value.
  • a shared key is configured to decrypt the encryption result by using a private key of the first device to obtain the random value, and generate the first information by using information agreed by the first device and the second device and the random value.
  • the information receiving unit is specifically configured to receive the encryption obtained by the first device encrypting the public key of the first device by using the public key of the second device result;
  • the key processing unit is configured to: after decrypting the encryption result by using a private key of the user, obtain a public key of the first device, and generate a password, where the password is used as the first shared key. After encrypting the password by using the public key of the first device, sending the encryption result to the first device, so that the first device decrypts the received encryption result by using the private key of the first device, and then obtains the obtained password. As the first shared key.
  • the information receiving unit is configured to receive, by using the public key of the second device and the private key of the second device, the first device to generate the first according to the key exchange algorithm. After the key is shared, the public key of the first device that is sent; the key exchange algorithm is predetermined by the first device and the second device;
  • the key processing unit is configured to generate a first shared key according to the key exchange algorithm by using a private key of the first device and a public key of the first device.
  • the key processing unit is pre-configured with parameters used by the key exchange algorithm.
  • the information receiving unit is further configured to receive a parameter used by the key exchange algorithm sent by the configuration device, and provide the parameter to the key processing unit.
  • the key configuration apparatus further includes:
  • a secure connection unit configured to receive an encryption result sent by the first device, where the encryption result is that the first device generates a credential after obtaining the first shared key, and uses the first shared key or the first shared key
  • the derived key is obtained by encrypting the credential; decrypting the encrypted result by using the obtained first shared key or the derived key of the first shared key to obtain the credential, the credential being used for the a secure connection between the first device and the second device; or
  • the key processing unit obtains the first shared key, generates a credential, and encrypts the credential by using the first shared key or the derived key of the first shared key, and sends the encrypted result to the Determining, by the first device, the encryption result by using the obtained first shared key or a derived key of the first shared key to obtain the credential, wherein the credential is used for the first A secure connection between a device and the second device.
  • the information providing unit is further configured to use the second device Channel information is provided to the configuration device, so that the configuration device sends channel information of the second device to the first device; so that the first device quickly discovers the second device according to channel information of the second device, The operation of transmitting the information for obtaining the first shared key to the second device is performed.
  • the information providing unit is specifically configured to pass the two-dimensional code,
  • the manner of USB or near field communication provides information to the configuration device.
  • the information receiving unit is further configured to receive the first The verification value generated by the device using the public key of the second device;
  • the key processing unit is further configured to verify the received verification value by using its own public key, and if the verification passes, perform an operation of generating the first shared key.
  • the seventh aspect the key configuration system, comprising: the key configuration device according to the fourth aspect, the key configuration device according to the fifth aspect, and the key configuration device according to the sixth aspect; or
  • the key configuration apparatus according to the seventh possible implementation of the fourth aspect, the key configuration apparatus according to the second possible implementation of the fifth aspect, and the sixth aspect, the sixth aspect a key configuration apparatus according to any one of the sixth possible implementations; or
  • a key configuration apparatus according to the eighth possible implementation of the fourth aspect, the key configuration apparatus according to the third possible implementation of the fifth aspect, and the sixth aspect, the sixth aspect a key configuration apparatus according to any one of the sixth possible implementations; or
  • a key configuration apparatus according to the ninth possible implementation of the fourth aspect, the key configuration apparatus according to the fourth possible implementation of the fifth aspect, and the sixth aspect, the sixth aspect a key configuration apparatus according to any one of the sixth possible implementations; or
  • the key configuration apparatus according to the eleventh possible implementation manner of the fourth aspect, the density of any one of the first to fourth possible implementation manners of the fifth aspect, the fifth aspect Key configuration apparatus, and the key configuration apparatus according to any one of the first to sixth possible implementations of the sixth aspect, the sixth aspect; or
  • Key configuration apparatus according to a twelfth possible implementation of the fourth aspect, a key configuration apparatus as described in a fifth possible implementation of the fifth aspect, and a seventh possibility as in the sixth aspect The key configuration device described in the implementation manner; or
  • the key configuration apparatus according to the thirteenth possible implementation manner of the fourth aspect, the secret of any one of the first to fifth possible implementation manners of the fifth aspect, the fifth aspect Key configuration apparatus and key configuration apparatus as described in the ninth possible implementation of the sixth aspect; or
  • the key configuration apparatus according to any one of the first to the thirteenth possible implementation manners of the fourth aspect, the sixth preferred implementation manner of the fifth aspect, Key configuration apparatus and key configuration apparatus as described in the eighth possible implementation of the sixth aspect.
  • the configuration device of the third party is used only for the transmission of the public key and the device information between the first device and the second device, and is used for security between the first device and the second device.
  • the first shared key of the connection is generated by the first device and the second device respectively, and the first shared key is not directly transmitted between the first device and the second device, but is used to obtain the first
  • the information of the shared key is transmitted to the second device, and the first shared key must be generated by the private key of the second device. Therefore, even if the attacker steals the public key transmitted between the configuration device, the first device, and the second device, the first shared key cannot be obtained, thereby improving the security of the interaction between the first device and the second device.
  • FIG. 1 is a schematic flowchart of a key configuration method of a third-party-based configuration device in the prior art
  • FIG. 2 is a schematic flowchart of a key configuration method according to Embodiment 1 of the present invention.
  • FIG. 3 is a schematic flowchart of a key configuration method according to Embodiment 2 of the present invention.
  • FIG. 4 is a schematic flowchart of a key configuration method according to Embodiment 3 of the present invention.
  • FIG. 5 is a schematic flowchart of a key configuration method according to Embodiment 4 of the present invention.
  • FIG. 6 is a schematic flowchart diagram of a key configuration method according to Embodiment 5 of the present invention.
  • FIG. 7 is a schematic flowchart diagram of a key configuration method according to Embodiment 6 of the present invention.
  • FIG. 8 is a schematic structural diagram of a system according to an embodiment of the present invention.
  • FIG. 9 is a schematic structural diagram of a key configuration apparatus installed in a first device according to an embodiment of the present disclosure.
  • FIG. 10 is a schematic structural diagram of a key configuration apparatus installed in a configuration device according to an embodiment of the present disclosure
  • FIG. 11 is a schematic structural diagram of a key configuration apparatus installed in a second device according to an embodiment of the present disclosure.
  • FIG. 12 is a schematic structural diagram of hardware of a configuration device according to an embodiment of the present disclosure.
  • FIG. 13 is a schematic structural diagram of hardware of a first device according to an embodiment of the present disclosure.
  • FIG. 14 is a schematic structural diagram of hardware of a second device according to an embodiment of the present disclosure.
  • the core idea of the present invention is that the third-party configuration device acquires the public key of the second device; the public key of the second device is sent to the first device; the first device generates a shared key, and uses the public key of the second device to The information for obtaining the first shared key is sent to the second device, or the first device generates the first shared key by using the public key of the second device, and sends the information for obtaining the first shared key to the second
  • the device sends the public key of the first device to the second device according to the device information of the second device; the second device generates a shared key by using its own private key and information for obtaining the first shared key, the shared key Used for a secure connection between the first device and the second device.
  • the present invention can perform the configuration of the shared key by means of key exchange, or the configuration of the shared key without using the key exchange.
  • the methods provided by the present invention are described in detail below by several specific embodiments.
  • the key exchange is used to perform the configuration of the shared key
  • the first device and the second device reserve a key exchange algorithm
  • the key exchange algorithm is that the subsequent first device and the second device generate the share.
  • the algorithm used in the key may be, but not limited to, a DH algorithm, an RSA algorithm, or an EIGam algorithm. According to different key exchange algorithms, pre-shared parameters are different.
  • the core of the key exchange algorithm is that the device exposes its own public key, retains its own private key, uses the public key of the other party and its private key to generate a shared key, and uses the shared key to ensure the security of messages traversing the unsecured network. Sex.
  • the manner of the parameters used by the shared key exchange algorithm may include, but is not limited to, the following two types: the first mode: configuring the parameters used by the key exchange algorithm on the first device and the second device in advance; the second manner: The parameters used by the key exchange algorithm are sent to the first device and the second device by a third-party configuration device.
  • the DH algorithm is taken as an example.
  • the first device and the second device share the parameters g and P in advance, and the parameters g and P are shared in the first device and the second device in advance, where P is a prime number. g is the original root of P.
  • both the first device and the second device have their own public and private keys, the public and private keys on the first device are PkeyA and keyA, respectively, and the public and private keys on the second device are PkeyB and keyB.
  • FIG. 2 is a schematic flowchart of a key configuration method according to Embodiment 1 of the present invention. As shown in FIG. 2, the process may include the following steps:
  • Step 201 Configure the device to obtain the public key PkeyA and device information of the first device.
  • the device information includes at least address information of the first device.
  • This step is an optional step in this embodiment.
  • Step 202 Configure the device to obtain the public key PkeyB and device information of the second device.
  • the device information includes at least address information of the second device.
  • the present invention does not limit the order of the above two steps, and may be performed sequentially in any order, or may be performed simultaneously.
  • the device information is mainly address information, and may include but is not limited to the following device information: UUID (Universally Unique Identifier, universal unique identifier, manufacturer, serial number, device capability, etc.
  • the device capability refers to the algorithm, authentication method, device role information, and device type information supported by the device.
  • the device role information refers to the role that the device plays when registering, and may be enrollee, registrar, client, or GO.
  • the device type information may be a WiFi wireless terminal (such as a mobile phone, a computer, a sensor, etc.), an access point (an AP in a wifi network), a sensor node, a central node, and the like.
  • the device information acquired by the configuration device in this embodiment is mainly address information.
  • the public key PkeyA of the first device, the device information of the first device, the public key PkeyB of the second device, and the device information of the second device may be obtained in various manners, for example, by using a security medium such as NFC or USB, in particular,
  • the headless device is configured to scan the identification code by encoding the public key PkeyA of the first device and the device information of the first device to the scan identification code of the first device, and the configuration device can obtain the scan identification code by scanning the scan identification code.
  • the public key PkeyA of the first device and the device information of the first device are the same for the second device.
  • the scan identification code may be, for example, a two-dimensional code, a barcode, or the like.
  • Step 203 The configuration device sends the public key PkeyB and the device information of the second device to the first device according to the device information of the first device.
  • the configuration device may encrypt the public key PkeyB and the device information of the second device by using the public key PkeyA of the first device, and then send the encryption result to the first device.
  • the first encryption method If the public key is a public key for asymmetric encryption, it can be directly used for encryption, and the corresponding private key needs to be used for decryption.
  • the second encryption method if the public key is a public key used for key exchange, the partial information of the public key is used for encryption, or the information derived from the public key is used for encryption, and the decryption needs to use a symmetric key to decrypt, and It is not decrypted with the corresponding private key.
  • the subsequent encryption and decryption process may adopt one of the above encryption methods according to specific conditions.
  • the encryption uses the second encryption method.
  • Step 204 The first device generates a verification value by using the public key PkeyB of the second device, and sends the generated verification value to the second device.
  • the first device first decrypts the encryption result to obtain the public key PkeyB and the device information of the second device.
  • the verification value generated by using the public key PkeyB of the second device in this step may be, but not limited to, a hash value of PkeyB, or may be a verification value generated by using other preset algorithms.
  • Step 205 The first device sends the public key PkeyA of the first device to the second device by using the device information of the second device.
  • the first device After acquiring the address information of the second device, the first device sends the verification value and the PkeyA to the second device.
  • the information used to obtain the shared key sent by the first device to the second device in this embodiment is the public key PkeyA of the first device.
  • steps 204 and 205 are also not limited in sequence, and may be executed sequentially in any order, or may be performed simultaneously.
  • Step 206 The second device uses the public key PkeyB of its own to verify the received verification value. If the verification succeeds, the public key PkeyA of the first device is recorded.
  • step 204 and the verification of the verification value by the second device in this step are operations performed to further improve security and reliability, and are not essential steps of the present invention. If there is no step 204, the second device directly records the received PkeyA.
  • the second public device may use its own public key PkeyB to generate a verification value by using the same method as the first device to generate a verification value, and compare the generated verification value with the received verification value. If they are consistent, the verification is performed. Pass, otherwise the verification fails. If the authentication fails, the received public key PkeyA of the first device may be discarded, the subsequent process is not performed, and the user may be further prompted to fail to configure, for example, by using an indicator light, or by displaying on the screen, or by voice. Ways and so on.
  • Step 207 The first device and the second device respectively generate a shared key by using the public key of the other party and the private key of the other party.
  • the first device may generate a shared key at any time after step 203, that is, after obtaining the public key of the second device, the shared key may be generated, which is not necessarily in this step.
  • the first device and the second device use a pre-shared key exchange algorithm to generate a shared key.
  • the private key of the device is a random number.
  • PkeyB (g ⁇ keyB)mod(P) in the second device, and keyB is the private key of the second device, which is also a random number.
  • is the operator of the power
  • X ⁇ Y represents the Y power of X
  • mod is the operator of modulo
  • XmodY represents the modulo of X to Y.
  • the first device generates a shared key DHkeyA by using PkeyB and keyA, namely:
  • the second device generates a shared key DHkeyB by using PkeyA and keyB, namely:
  • DHkeyA DHkeyB.
  • Step 208 The first device and the second device perform a secure connection based on the shared key.
  • the first device and the second device may perform subsequent interactions based on the shared key, and the subsequent interactions may include, but are not limited to, an authentication process, an association process, a data interaction process, and the like.
  • the prior art can be used, and details are not described herein again.
  • the first device and the second device may generate a derived key for the shared key based on the shared key derivation algorithm, and use the derived key for subsequent secure connection.
  • the present invention does not limit the key derivation algorithm as long as the first device and the second device pre-agreed a consistent key derivation algorithm.
  • the first device after generating the shared key, the first device generates a credential, and encrypts the credential by using the shared key or the derived key of the shared key, and then passes the encrypted result to the first
  • the second device uses the generated shared key or the derived key of the shared key to decrypt the encrypted result to obtain a credential.
  • the second device generates a credential after generating the shared key, and encrypts the credential by using the shared key or the derived key of the shared key, and then transmits the encrypted result to the first device; the first device utilizes the generated The shared key or the derived key of the shared key decrypts the encrypted result to obtain a credential.
  • the first device sends a credential to the second device, or the second device sends a credential to the first device, which may be determined according to the device type. If the first device is a registrar, a central node, or a GO, the first device may be generated by the first device. The credentials are sent to the second device.
  • FIG. 3 is a schematic flowchart of the key configuration method according to the second embodiment of the present invention. In this embodiment, the same steps as in the first embodiment are not implemented. For further details, refer to the description in the first embodiment. As shown in Figure 3, the process includes the following steps:
  • Step 301 is the same as step 201.
  • Step 302 is the same as step 302.
  • Step 303 The configuration device establishes a secure connection with the first device to generate shared keys DHkeyC' and DHkeyA'.
  • the first way the configuration device shares the credential with the first device through the existing WPS interaction mode (ie, key1 generated in the description of FIG. 1 in the background art), and uses the credential as the shared key DHkey'.
  • the existing WPS interaction mode ie, key1 generated in the description of FIG. 1 in the background art
  • the second method is: the configuration device sends the public key PkeyC to the first device, and the configuration device uses the public key PkeyA of the first device and the private key keyC of the configuration device to perform a key exchange algorithm to generate a shared key DHkeyC'.
  • a device performs a key exchange algorithm by using the public key PkeyC of the configuration device and the private key keyA of the first device to generate a shared key DHkeyA'.
  • the configuration device needs to pre-share the parameters used by the key exchange algorithm with the first device.
  • the configuration device also obtains the shared parameters g and P in advance.
  • DHkeyC’ DHkeyA’.
  • Step 304 The configuration device encrypts the public key PkeyB of the second device and the device information by using the shared key DHkeyC', and then sends the encryption result to the first device.
  • Step 305 After decrypting the received encryption result by using the shared key DHkeyA', the first device acquires the public key PkeyB and the device information of the second device.
  • the configuration device may also use the shared key DHkeyC' to generate a derivation key, and then use the derived key to encrypt the public key PkeyB of the second device and the device information, and then send the information to the first device.
  • the method of generating the key is not shown here, as long as the configuration device and the first device are pre-agreed.
  • the first device uses the shared key DHkeyA' to derive the key, and then uses the derived key to decrypt the received encryption result.
  • Step 306 The first device generates a new private key keyA' and a new public key PkeyA'.
  • This step is a step performed to further enhance the security of the interaction.
  • the first device generates a new random number as the private key keyA', and then generates a new public key PkeyA' by using the new private key.
  • PkeyA' (g ⁇ keyA’)mod(P).
  • the subsequent steps 307 to 311 are the same as steps 204 to 208 in the first embodiment, except that the public key and the private key of the first device involved are replaced with the new public keys PkeyA' and keyA' in step 306, respectively.
  • FIG. 4 is a schematic flowchart of the key configuration method according to the third embodiment of the present invention. Similarly, in the embodiment, the same as the first embodiment. The steps are not described again, see the description in the first embodiment. As shown in Figure 4, the process includes the following steps:
  • Step 401 is the same as step 201.
  • the device information of the first device acquired by the device includes at least address information of the first device and device role information or device type information of the first device, where the device The role information refers to the role that the device plays when registering, such as enrollee, registrar, client, or GO.
  • the device type information may be a wireless terminal, an access point, a sensor node, a central node, or the like.
  • Step 402 is the same as step 202.
  • the device information of the second device acquired by the device includes at least address information of the second device and device role information or device type information of the second device.
  • the public key PkeyA of the first device, the device information, and the public key PkeyB and device information of the second device can be obtained in various manners, for example, by using a security medium such as NFC or USB, in particular,
  • a security medium such as NFC or USB
  • the public key PkeyA and device information of a device are the same for the second device.
  • the scan identification code may be, for example, a two-dimensional code, a barcode, or the like.
  • Step 403 The configuration device determines, according to the device role information or the device type information of the first device and the second device, that the public key and the device information of the first device are sent to the second device, or the public key and the device of the second device are The information is sent to the first device.
  • the first device is an enrollee, the second device is a registrar, or the first device is a client, the second device is a GO, or the first device is a wireless terminal, and the second device is an access point, then it is determined that The public key and device information of the second device are sent to the first device, so that the first device can quickly scan and discover the second device to improve efficiency. If the first device is a central node and the second device is a sensor node, it is determined that the public key and device information of the second device are sent to the first device, so that the central node can quickly discover the sensor node.
  • the roles or types of the first device and the second device are equal, for example, are sensor nodes, or both are clients, etc., whether the public key and device information of the second device are determined to be sent to the first device, or the first device The public key and device information of the device can be sent to the second device. This step is optional.
  • step 403 determines that the public key and device information of the second device are sent to the first device, and step 404 is the same as step 203.
  • Steps 405 to 409 are the same as steps 204 to 208.
  • the first device may first determine, according to the device role information or the device type information of the second device, the manner in which the first device establishes a connection with the second device, thereby determining in step 405.
  • the message type is used to send the verification value and the public key PkeyA of the first device. For example, if the first device is an enrollee, the second device is a registrar, or the first device is a wireless terminal, and the second device is an access point, the first device may use the probe message to verify the value and the public key PkeyA of the first device. Send to the second device.
  • the first device may send the verification value and the public key PkeyA of the first device to the first device by using a broadcast message.
  • Second device If the first device is a GO and the second device is a client, the first device may send the verification value and the public key PkeyA of the first device to the second device by using an invitation message. If the first device is a client and the second device is a GO, the first device may send the verification value and the public key PkeyA of the first device to the second device by using a probe message.
  • the first device may send the verification value and the public key PkeyA of the first device to the second device by using a request message. If the first device is a central node and the second device is a sensor node, the first device may send the verification value and the public key PkeyA of the first device to the second device by using an invitation message or a broadcast message.
  • the device information of the first device and the second device that are configured by the device may further include channel information.
  • the first device may quickly discover the second device according to the channel information of the second device, and perform steps. 405 and step 406, the verification value and the public key PkeyA of the first device are sent to the second device.
  • the embodiment may start from step 405 and start from step 306 in the second embodiment until the first device and the second device perform a secure connection based on the shared key.
  • FIG. 5 is a schematic flowchart of a key configuration method according to Embodiment 4 of the present invention, which is different from Embodiment 1 in this embodiment. The steps in the same manner as in the first embodiment will not be described again. As shown in Figure 5, the process includes the following steps:
  • Step 501 is the same as step 201.
  • Step 502 is the same as step 202.
  • Step 503 is the same as step 203.
  • Step 504 is the same as step 204.
  • Step 505 The first device generates a password, encrypts the password by using the public key PkeyB of the second device, and sends the encrypted result to the second device.
  • the encryption used here is the first encryption method described in the first embodiment.
  • the first device obtains the encryption result encrypted by the authentication value and the password to the second device. That is, the information used by the first device to obtain the shared key that is sent by the first device to the second device in the embodiment is the above-mentioned password generated by the first device.
  • the manner in which the first device generates the password may be arbitrary, for example, a method of generating a random number as a password, or a method of generating a password by using a preset algorithm, and the like.
  • Step 506 The second device uses its own public key PkeyB to verify the received verification value. If the verification succeeds, the received encryption result is decrypted by using the private key keyB to obtain a password.
  • the public-private key pair (PkeyB, keyB) of the second device through a certain encryption and decryption algorithm, enables the encryption result encrypted by PkeyB to be decrypted by the keyB, and the encryption and decryption algorithm can adopt the existing Various ways are not repeated here.
  • Step 507 The first device and the second device generate a shared key by using the password.
  • the first device and the second device may directly use the password as a shared key, or may generate a derived key for the password by using a pre-agreed key derivation algorithm, and use the derived key as a shared key.
  • the operation of generating the shared key by the first device may be performed at any time after the generation of the password, and is not limited to being performed in this step.
  • Step 508 is the same as step 208.
  • step 303 to step 306 in the second embodiment and the technical content described in step 403 in the third embodiment are also applicable to the fourth embodiment, and details are not described herein again.
  • the process shown in this embodiment includes the following steps:
  • Step 601 is the same as step 201.
  • Step 602 is the same as step 202.
  • Step 603 is the same as step 203.
  • Step 604 is the same as step 204.
  • Step 605 The first device generates a random value Nonce, and generates a shared key DHkey by using the public key PkeyB of the second device and the random value Nonce.
  • the shared key DHkey may be generated by using the information agreed by the other first device and the second device and the random value, for example, may be adopted.
  • MAC of the second device Media Access Control, media access control value, the hash value of the second device's public key Pkey, and so on.
  • Step 606 The first device encrypts the random value Nonce by using the public key PkeyB of the second device, and then sends the encryption result to the second device.
  • the information used to obtain the shared key in this embodiment is the random value Nonce.
  • the encryption method here may be the first encryption method described in Embodiment 1.
  • the second device After receiving the encryption result, the second device decrypts the encryption result to obtain the random value Nonce.
  • Step 607 is the same as step 206. After the verification is passed, the random value Nonce is recorded.
  • Step 608 The second device generates the shared key DHkey by using its own public key PkeyB and a random value Nonce.
  • the algorithm for generating the shared key is not specifically limited herein.
  • Step 609 is the same as step 208.
  • FIG. 7 is a schematic flowchart of a key configuration method according to Embodiment 6 of the present invention. As shown in FIG. 7, the method includes:
  • Step 701 is the same as step 201.
  • Step 702 is the same as step 202.
  • Step 703 is the same as step 203.
  • Step 704 The first device sends its own public key PkeyA to the second device.
  • the first device may encrypt the PkeyA by using the public key PkeyB of the second device, and then send the PkeyA to the second device, and the second device decrypts the PkeyA by using the private key keyB of the second device.
  • the encryption used here is the first encryption method described in the first embodiment.
  • Step 705 The second device encrypts a password by using the public key PkeyA of the first device, and sends the encryption result to the first device.
  • the password may be a credential or a session key, and may be randomly generated or generated according to an algorithm, and is not limited herein.
  • the second device may generate a verification value by using the public key PkeyA of the first device, for example, generating a hash value of the PkeyA and sending the hash value to the first device.
  • the first device After receiving the verification value, the first device first generates a verification value by using the public key PkeyA. The generated verification value is compared with the received verification value. If they are consistent, it is determined that the verification is passed, and step 706 is continued.
  • Step 706 The first device decrypts the encryption result by using its own private key keyA to obtain a password.
  • Step 707 The first device and the second device perform subsequent secure connection by using the above-mentioned password or password derived key.
  • the information used to obtain the shared key in the seventh embodiment is the public key of the first device.
  • FIG. 8 is a schematic structural diagram of a system according to an embodiment of the present invention. As shown in FIG. 8, the system includes a first device, a second device, and a configuration device of a third party.
  • the device is configured to obtain the public key of the second device, and send the public key of the second device to the first device.
  • the first device is mainly responsible for generating a first shared key and providing information for obtaining the first shared key to the second device, where the second device generates the first shared key.
  • the first device can implement the function in the following two manners:
  • the first device In the first mode, the first device generates a first shared key, and sends information for obtaining the first shared key to the second device by using the public key of the second device according to the device information of the second device. This way corresponds to the manner described in the above embodiment four.
  • the second method is to generate a first shared key by using the public key of the second device, and send information for obtaining the first shared key to the second device according to the device information of the second device. This manner corresponds to the manner described in the above embodiments 1 to 3.
  • a second device configured to generate a first shared key by using a private key thereof and information for obtaining the first shared key, where the first shared key is used for a secure connection between the first device and the second device .
  • the name of the first shared key is distinguished from the second shared key shared between the configuration device and the first device in the subsequent preferred embodiment.
  • the first device For the first mode, the first device generates a password, uses the password as the first shared key, or generates a derivative key for the password by using a key derivation algorithm, and uses the derived key as the first shared key; Then, the password is encrypted by using the public key of the second device, and the encrypted result is sent to the second device. In this manner, the information used to obtain the first shared key is password.
  • the manner in which the first device generates the password may be arbitrary, for example, a method of generating a random number as a password, or a method of generating a password by using a preset algorithm, and the like.
  • the second device decrypts the encryption result by using its own private key to obtain a password, uses the password as the first shared key, or generates a derivative key for the password by using a key derivation algorithm, and uses the derived key as the first shared key.
  • the public-private key pair (PkeyB, keyB) of the second device through a certain encryption and decryption algorithm, enables the encryption result encrypted by the public key PkeyB to be decrypted by the private key keyB.
  • This encryption and decryption algorithm has It is a very mature way, and will not be repeated here.
  • the first device In the first mode, there is also an implementation that the first device generates a random value, and the first shared key is generated by using the information agreed by the first device and the second device, and the public key of the second device is used. After encrypting the random value, the encrypted result is sent to the second device. The second device encrypts the encrypted result by using its own private key to obtain the random value, and then generates the first shared key by using the information agreed by the first device and the second device and the random value.
  • the information agreed by the first device and the second device may be information such as a public key of the second device, a hash value of the second device public key, a MAC address of the second device, and the like.
  • the three-party configuration device is obtained from the second device and then sent to the first device, and may even be some specific values pre-configured by the first device and the second device.
  • the first device and the second device need to perform a predetermined key exchange algorithm.
  • the key exchange algorithm that can be used herein may be, but not limited to, a DH algorithm, an RSA algorithm, or an EIGal algorithm, according to different secrets.
  • the key exchange algorithm has different parameters for pre-sharing. Taking the D-H algorithm as an example, the first device and the second device share the parameters g and P in advance, and the parameters g and P are shared in advance on the first device and the second device, where P is a prime number and g is the original root of P.
  • the manner in which the first device and the second device share the parameters used by the key exchange algorithm may include, but is not limited to, the following two types: first, configuring parameters used by the key exchange algorithm on the first device and the second device in advance; Second, the parameters used by the key exchange algorithm are sent to the first device and the second device by using a third-party configuration device.
  • the first device is specifically configured to generate a first shared key according to a key exchange algorithm by using a public key of the second device and a private key thereof, and send the public key of the first device to the second device. .
  • the information used to obtain the first shared key is the public key of the first device.
  • the second device is specifically configured to generate the first shared key according to the key exchange algorithm by using the public key of the first device and the private key of the first device.
  • the first device and the second device share the parameters used by the key exchange algorithm in the following two manners:
  • the parameters used by the key exchange algorithm are pre-configured on the first device and the second device, that is, in a static configuration manner.
  • the configuration device sends the parameters used by the key exchange algorithm to the first device and the second device, that is, the parameter configuration used by the key exchange algorithm on the first device and the second device is completed by the configuration device of the third party.
  • the configuration device is further configured to acquire device information of the second device and the first device.
  • the device information involved in the embodiment of the present invention may include, but is not limited to, address information, device capability, manufacturer, serial number, UUID, etc., where the device capability refers to an algorithm, an authentication method, a device role information, and a device supported by the device.
  • Type information, etc. where the device role information refers to the role that the device plays when registering, and may be enrollee, registrar, client, or GO.
  • the device type information may be a wireless terminal, an access point, a sensor node, a central node, or the like.
  • the device information referred to herein includes at least address information; such that the configuration device can perform an operation of transmitting the public key and device information of the second device to the first device according to the address information of the first device; and acquiring the address of the second device And transmitting the address information of the second device to the first device; and enabling the first device to send the information for obtaining the first shared key according to the address information of the second device.
  • the configuration device is further configured to acquire a public key of the first device; when the public key and device information of the second device are sent to the first device, Specifically, the public key of the first device is used to encrypt the public key and the device information of the second device.
  • the encryption may be performed by using the second encryption method described in the first embodiment to send the encryption result to the first device.
  • the first device decrypts the encryption result to obtain the public key and device information of the second device.
  • This preferred embodiment corresponds to what is described in the first embodiment.
  • the configuration device acquires information from the first device or the second device
  • the public key and the device information are included, specifically by scanning the two-dimensional code, USB or near field.
  • the manner of communication acquires information from the first device or the second device.
  • the first device may further generate a verification value by using a public key of the second device, where the verification value may be, but not limited to, a hash value of the public key of the second device, or a verification value generated by using another preset algorithm. And then transmitting the verification value to the second device according to the device information of the second device.
  • the second device Before generating the first shared key, the second device uses the public key of the second device to verify the received verification value. If the verification succeeds, the operation of generating the first shared key is continued; otherwise, the public device of the first device is discarded.
  • the key does not perform subsequent operations, and can further prompt the user to configure the failure, such as the way of using the indicator light, or the way of displaying on the screen, or the manner of voice, and the like. This preferred embodiment corresponds to what is described in the first embodiment.
  • the configuration device and the first device may also be used to establish a secure connection to generate a second shared key.
  • the following two types can be used: first, the configuration device and the first device share the credential through the existing WPS interaction manner, and the credential is used as the second shared key; second, the configuration device will be its own
  • the public key is sent to the first device, and the configuration device performs a key exchange algorithm by using the public key of the first device and the private key of the configuration device to generate a second shared key.
  • the first device uses the public key of the configuration device and the first device.
  • the private key performs a key exchange algorithm to generate a second shared key.
  • the public key and the device information of the second device are sent to the first device
  • the public key and the device information of the second device are encrypted by using the second shared key, and the encryption result is sent to the first device.
  • the first device After decrypting the received encryption result by using the second shared key, the first device obtains the public key and device information of the second device.
  • This preferred embodiment corresponds to what is described in the second embodiment.
  • the first device may further generate a new public key and a new private key.
  • the public key of the first device sent by the first device to the second device is a new public key;
  • the public key of the first device used by the second device when generating the first shared key is a new public key;
  • the private key of the first device utilized by the first device when generating the first shared key is a new private key.
  • the device role information or the device type information included in the device information may be further utilized on the basis of the foregoing first mode or the second mode, that is, the configuration device may also be used according to the first device and the second device.
  • Device role information or device type information determining whether to send the public key and device information of the second device to the first device, or to send the public key and device information of the first device to the second device.
  • the configuration device determines that the public key and the device information of the second device are sent to the first device, so that the first device can quickly scan and discover the second device, thereby improving efficiency.
  • the configuration device determines to send the public key and device information of the second device to the first device, so that the central node can quickly discover the sensor node.
  • the roles or types of the first device and the second device are equal, for example, are sensor nodes, or both are clients, etc., whether the public key and device information of the second device are determined to be sent to the first device, or the first device The public key and device information of the device can be sent to the second device.
  • the device information may be included in the device information, that is, the first device is further configured to quickly discover the second device according to the channel information of the second device, to Executing information for obtaining the first shared key is sent to the second device.
  • first device and the second device may generate a derived key for the first shared key based on the shared key derivation algorithm, in addition to directly using the first shared key for secure connection, and use the derived key for secure connection.
  • Subsequent secure connections may include, but are not limited to, an authentication process, an association process, a data interaction process, and the like.
  • an authentication process an association process
  • a data interaction process and the like.
  • the above configuration device may include one or more servers, or include one or more computers, and the first device and the second device may be, for example, a personal computer, a notebook computer, a wireless phone, a personal digital assistant (PDA), Sensor nodes, APs, etc.
  • PDA personal digital assistant
  • the manner and system provided by the present invention are not limited to a WiFi network, and may be applied to any wireless network such as Bluetooth, Zigbee, etc., and may even be applied to key configuration in a wired network.
  • FIG. 9 is a schematic structural diagram of a key configuration apparatus installed in a first device according to an embodiment of the present invention.
  • the key configuration apparatus includes: a configuration receiving unit 90 and a key processing unit 91.
  • the configuration receiving unit 90 is responsible for receiving the public key of the second device that is sent by the configuration device after acquiring the public key of the second device.
  • the key processing unit 91 is responsible for transmitting the information for obtaining the first shared key to the second device by using the public key of the second device; or the first device generates the first shared key by using the public key of the second device, and the first shared key is used. Transmitting the information of the first shared key to the second device; so that the second device generates the first shared key by using its own private key and information for obtaining the first shared key, where the first shared key is used for A secure connection between a device and a second device.
  • the way to get the first shared key can be as follows:
  • the first mode the key processing unit 91 generates a password, uses the password as the first shared key, encrypts the password with the public key of the second device to obtain an encryption result, and transmits the encryption result to the second device, so that the second device
  • the encryption result is decrypted by using its own private key to obtain a password, and the password is used as the first shared key.
  • the second mode the key processing unit 91 generates a password, encrypts the password by using the public key of the second device to obtain an encryption result, and sends the encryption result to the second device, and generates a derivative key for the password by using the key derivation algorithm.
  • the derived key is used as the first shared key, so that the second device decrypts the encrypted result by using its own private key to obtain a password, and generates a derived key for the password by using a key derivation algorithm, and uses the derived key as the first shared secret. key.
  • the third mode the key processing unit 91 generates a random value, generates the first shared key by using the information agreed by the first device and the second device, and encrypts the random value by using the public key of the second device. And sending the encryption result to the second device, so that the second device decrypts the encryption result by using the private key of the second device to obtain a random value, and generates the first shared key by using the information agreed by the first device and the second device and the random value.
  • the fourth mode the key processing unit 91 encrypts the public key of the first device by using the public key of the second device, and sends the encryption result to the second device; and receives the encryption result sent by the second device, where the encryption result is After decrypting the received encryption result by using the private key of the second device, the second device obtains the public key of the first device, generates a password, uses the password as a shared key, and encrypts the password by using the public key of the first device. After obtaining the decrypted result by using its own private key, the obtained password is used as the first shared key.
  • the fifth mode the key processing unit 91 generates the first shared key according to the key exchange algorithm predetermined by the first device and the second device by using the public key of the second device and the private key of the second device, and the public device of the first device The key is sent to the second device, so that the second device generates the first shared key according to the key exchange algorithm using its own private key and the public key of the first device.
  • the key processing unit 91 may be configured with parameters used by the key exchange algorithm in advance; or the configuration receiving unit 91 receives the parameters used by the key exchange algorithm sent by the configuration device, and provides the parameters to the key processing unit 91.
  • the key configuration apparatus may further include: a secure connection unit 92.
  • the secure connection unit 92 After the key processing unit 91 obtains the first shared key, the secure connection unit 92 generates a credential, and encrypts the credential by using the first shared key or the derived key of the first shared key, and then sends the encrypted result. Giving the second device; so that the second device decrypts the encryption result by using the obtained first shared key or the derived key of the first shared key to obtain a credential, and the credential is used between the first device and the second device Secure connection (this is shown in the figure). Alternatively, the encrypted result of the credential sent by the second device is decrypted by using the obtained first shared key or the derived key of the first shared key to obtain a credential, and the encrypted result of the credential is obtained by the second device. After the first shared key, a credential is generated, and the credential is encrypted by using the first shared key or the derived key of the first shared key, and the credential is used between the first device and the second device. Secure connection.
  • the configuration receiving unit 90 may receive an encryption result sent by the configuration device after acquiring the public key of the second device and the public key of the first device, and the encryption result is configured by the configuration device to encrypt the public key of the first device.
  • the public key of the second device The public key of the second device.
  • the key processing unit 91 can also be used to decrypt the encryption result to obtain the public key of the second device.
  • the configuration receiving unit 90 establishes a secure connection with the configuration device to generate a second shared key, and receives an encryption result sent by the configuration device after acquiring the public key of the second device, and the encryption result is that the configuration device utilizes the second share.
  • the public key of the second device encrypted by the key.
  • the key processing unit 91 decrypts the received encryption result using the second shared key, and obtains the public key of the second device.
  • the configuration receiving unit 90 when establishing a secure connection with the configuration device to generate the second shared key, specifically shares the credential with the configuration device through the WPS interaction mode, and uses the credential as the second shared key; or, the specific receiving configuration device
  • the public key of the configured configuration device the first device generates a second shared key according to a pre-agreed key exchange algorithm by using the public key of the configuration device and its own private key.
  • the key processing unit 91 may also generate a new public key and a new private key after obtaining the public key of the second device; thus, the first device sends the first device to the second device.
  • the public key is the new public key; the public key of the first device utilized by the second device when generating the first shared key is a new public key; the first device utilizes itself when generating the first shared key
  • the private key is the new private key.
  • the configuration receiving unit 90 may further receive channel information of the second device that is sent after the configuration device acquires the second device.
  • the key processing unit 91 can quickly discover the second device according to the channel information of the second device to perform an operation of transmitting information for obtaining the first shared key to the second device.
  • the key processing unit 91 may also generate a verification value by using the public key of the second device, and send the verification value to the second device; so that the second device utilizes its own public key before generating the first shared key.
  • the received verification value is verified, and in the case where the verification is passed, the operation of generating the first shared key is performed.
  • FIG. 10 is a schematic structural diagram of a key configuration apparatus installed in a configuration device according to an embodiment of the present invention. As shown in FIG. 10, the key configuration apparatus includes: an information acquisition unit 11 and an information transmission unit 12.
  • the information acquiring unit 11 is responsible for acquiring the public key of the second device.
  • the information transmitting unit 12 is responsible for transmitting the public key of the second device to the first device.
  • the first device can send the information for obtaining the first shared key to the second device by using the public key of the second device; or the first device can generate the first shared key by using the public key of the second device, Sending information for obtaining the first shared key to the second device.
  • the second device then generates a first shared key using its own private key and information for obtaining the first shared key, the first shared key being used for a secure connection between the first device and the second device.
  • the information sending unit 12 may further send the parameters used by the key exchange algorithm to the first device and the second device.
  • the key exchange algorithm is used by the first device and the second device to generate the first shared key according to the key exchange algorithm using its own private key and the public key of the other party.
  • the information acquisition unit 11 may acquire the public key of the first device.
  • the public key of the second device is encrypted by the information transmitting unit 12 by using the public key of the first device, and the encryption result is sent to the first device, so that the first device decrypts the encryption result to obtain the public key of the second device.
  • the information sending unit 12 establishes a secure connection with the first device to generate a second shared key; when the public key of the second device is sent to the first device, specifically using the second shared key After the public key of the second device is encrypted, the encryption result is sent to the first device, so that the first device decrypts the received encryption result by using the second shared key, and obtains the public key of the second device.
  • the information sending unit 12 shares the credential with the first device through WPS interaction, and uses the credential as the second shared key; or,
  • the public key is sent to the first device, and the second shared key is generated according to a pre-agreed key exchange algorithm by using the public key of the first device and the private key of the first device.
  • the information acquiring unit 11 may also acquire channel information of the second device.
  • the information transmitting unit 12 transmits the channel information of the second device to the first device, so that the first device quickly discovers the second device according to the channel information of the second device to perform information for obtaining the first shared key. The operation sent to the second device.
  • the information acquisition unit 11 acquires information from the first device or the second device by scanning a two-dimensional code, a universal serial bus USB, or a near field communication.
  • FIG. 11 is a schematic structural diagram of a key configuration apparatus provided in a second device according to an embodiment of the present invention.
  • the key configuration apparatus may include: an information providing unit 21, an information receiving unit 22, and a key. Processing unit 23.
  • the information providing unit 21 is responsible for providing the configuration device with the public key of the second device, so that the configuration device transmits the public key of the second device to the first device.
  • the information receiving unit 22 is responsible for receiving information used by the first device to obtain the first shared key by using the public key of the second device; or after receiving the first shared key by using the public key of the second device by the first device, The transmitted information for obtaining the first shared key.
  • the key processing unit 23 is responsible for generating a first shared key using its own private key and information for obtaining the first shared key, the first shared key being used for a secure connection between the first device and the second device.
  • the way to get the first shared key can be as follows:
  • the first mode the information receiving unit 22 receives the encryption result sent by the first device, and the encryption result is that the first device generates a password, and the password is used as the first shared key, and the password is encrypted by using the public key of the second device.
  • the key processing unit 23 decrypts the encryption result using its own private key to obtain a password, and uses the password as the first shared key.
  • the second mode the information receiving unit 22 receives the encryption result sent by the first device, and the encryption result is obtained by encrypting the password by using the public key of the second device after the first device generates the password.
  • the key processing unit 23 decrypts the encryption result by using its own private key to obtain a password, and generates a derivative key for the password by using a key derivation algorithm, and uses the derived key as the first shared key.
  • the third mode the information receiving unit 22 receives the encryption result sent by the first device, and the encryption result is that the first device generates a random value, and the first shared key is generated by using the information agreed by the first device and the second device and the random value. Obtaining the random value by using the public key of the second device.
  • the key processing unit 23 decrypts the encryption result by using its own private key to obtain a random value, and generates the first shared key by using the information agreed by the first device and the second device and the random value.
  • the fourth mode the information receiving unit 22 receives the encryption result obtained by the first device encrypting the public key of the first device by using the public key of the second device.
  • the key processing unit 23 decrypts the encryption result by using its own private key, obtains the public key of the first device, and generates a password, which is used as the first shared key, and is used by the public key of the first device. After the password is encrypted, the encrypted result is sent to the first device, so that the first device decrypts the received encryption result by using its own private key, and uses the obtained password as the first shared key.
  • the fifth mode the information receiving unit 22 receives the public key of the first device sent by the first device after the first device uses the public key of the second device and the private key of the second device to generate the first shared key according to the key exchange algorithm;
  • the switching algorithm is predetermined by the first device and the second device.
  • the key processing unit 23 generates the first shared key in accordance with the key exchange algorithm using its own private key and the public key of the first device.
  • the key processing unit 23 can be pre-configured with parameters used by the key exchange algorithm.
  • the information receiving unit 22 receives the parameters used by the key exchange algorithm transmitted by the configuration device, and supplies them to the key processing unit 23.
  • the key configuration apparatus may further include: a secure connection unit 24.
  • the security connection unit 24 receives the encryption result sent by the first device, and the encryption result is that the first device generates a credential after obtaining the first shared key, and uses the first shared key or the derived key of the first shared key. Obtaining the credential by using the obtained first shared key or the derived key of the first shared key to decrypt the encrypted result, and the credential is used between the first device and the second device. Secure connection (this is shown in the figure). Alternatively, after the key processing unit 23 obtains the first shared key, generates a credential, and encrypts the credential by using the first shared key or the derived key of the first shared key, and then sends the encrypted result. Giving the first device; so that the first device decrypts the encryption result by using the obtained first shared key or the derived key of the first shared key to obtain a credential, and the credential is used between the first device and the second device Secure connection.
  • the information providing unit 21 may further provide the channel information of the second device to the configuration device, so that the configuration device sends the channel information of the second device to the first device.
  • a device quickly discovers the second device according to the channel information of the second device to perform an operation of transmitting information for obtaining the first shared key to the second device.
  • the information providing unit 21 can provide information to the configuration device by means of two-dimensional code, USB or near field communication.
  • the information receiving unit 22 may further receive a verification value generated by the first device using the public key of the second device.
  • the key processing unit 23 verifies the received verification value using its own public key, and if the verification passes, performs an operation of generating the first shared key.
  • the configuration device includes a processor, a memory, and a communication bus.
  • the processor is connected to the memory through a communication bus, and the memory stores instructions for implementing a key configuration method.
  • the configuration device further includes a communication interface that is communicatively coupled to other devices through the communication interface.
  • the first device transmits information for obtaining the first shared key to the second device by using the public key of the second device; or for the first device to utilize the public key of the second device Generating a first shared key, and sending information for obtaining the first shared key to the second device;
  • the second device generates the first shared key by using its own private key and the information for obtaining the first shared key, the first shared key being used for the first device and the A secure connection between the second device.
  • the first device as shown in FIG. 13 includes a processor, a memory, and a communication bus.
  • the processor is connected to the memory through a communication bus, and the memory stores instructions for implementing a key configuration method. Further, the The first device also includes a communication interface communicatively coupled to other devices via the communication interface.
  • the first device generates a first shared key by using the public key of the second device, and sends information for obtaining the first shared key to the second device;
  • the second device generates the first shared key by using its own private key and the information for obtaining the first shared key, the first shared key being used for the first device and the A secure connection between the second device.
  • the foregoing second device includes a processor, a memory, and a communication bus, wherein the processor is connected to the memory through a communication bus, and the memory stores instructions for implementing a key configuration method, and further, the The second device also includes a communication interface communicatively coupled to other devices via the communication interface.
  • the device described in the present invention architecturally includes some basic components such as a bus, a processing system, a storage system, one or more input/output systems, and a communication interface.
  • the bus can include one or more wires to enable communication between components in the device.
  • a processing system includes various types of processors or microprocessors for executing instructions, processing processes, or threads.
  • the storage system may include a dynamic memory such as a random access memory (RAM) that stores dynamic information, and a static memory such as a read only memory (ROM) that stores static information, and a large-capacity memory including a magnetic or optical recording medium and a corresponding drive.
  • RAM random access memory
  • ROM read only memory
  • the input system is for the user to input information to the server or the terminal device, such as a keyboard, a mouse, a stylus, a voice recognition system, or a biometric system. If it is a headless device, the input system of the human-computer interaction function may not be included.
  • the output system includes a display for outputting information, a printer, a speaker, an indicator light, and the like.
  • Communication interfaces are used to enable a server or terminal device to communicate with other systems or systems. The communication interfaces can be connected to the network through a wired connection, a wireless connection, or an optical connection.
  • Each device contains operating system software for managing system resources, controlling the operation of other programs, and application software for implementing specific functions.
PCT/CN2013/086247 2013-10-30 2013-10-30 一种密钥配置方法、系统和装置 WO2015061992A1 (zh)

Priority Applications (8)

Application Number Priority Date Filing Date Title
EP13896341.8A EP3065334A4 (de) 2013-10-30 2013-10-30 Tastenkonfigurationsverfahren, -system und -vorrichtung
KR1020167014319A KR20160078475A (ko) 2013-10-30 2013-10-30 키 구성 방법, 시스템, 및 장치
CA2929173A CA2929173A1 (en) 2013-10-30 2013-10-30 Key configuration method, system, and apparatus
PCT/CN2013/086247 WO2015061992A1 (zh) 2013-10-30 2013-10-30 一种密钥配置方法、系统和装置
AU2013404506A AU2013404506A1 (en) 2013-10-30 2013-10-30 Key configuration method, system and apparatus
JP2016550902A JP2016540462A (ja) 2013-10-30 2013-10-30 鍵コンフィギュレーション方法、システム、および装置
CN201380080528.8A CN105723648B (zh) 2013-10-30 2013-10-30 一种密钥配置方法、系统和装置
US15/143,204 US20160269176A1 (en) 2013-10-30 2016-04-29 Key Configuration Method, System, and Apparatus

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2013/086247 WO2015061992A1 (zh) 2013-10-30 2013-10-30 一种密钥配置方法、系统和装置

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US15/143,204 Continuation US20160269176A1 (en) 2013-10-30 2016-04-29 Key Configuration Method, System, and Apparatus

Publications (1)

Publication Number Publication Date
WO2015061992A1 true WO2015061992A1 (zh) 2015-05-07

Family

ID=53003122

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2013/086247 WO2015061992A1 (zh) 2013-10-30 2013-10-30 一种密钥配置方法、系统和装置

Country Status (8)

Country Link
US (1) US20160269176A1 (de)
EP (1) EP3065334A4 (de)
JP (1) JP2016540462A (de)
KR (1) KR20160078475A (de)
CN (1) CN105723648B (de)
AU (1) AU2013404506A1 (de)
CA (1) CA2929173A1 (de)
WO (1) WO2015061992A1 (de)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2018525939A (ja) * 2015-08-24 2018-09-06 華為技術有限公司Huawei Technologies Co.,Ltd. セキュリティ認証方法、構成方法、および関連デバイス
US20230198768A1 (en) * 2020-11-10 2023-06-22 Okta, Inc. Efficient transfer of authentication credentials between client devices

Families Citing this family (29)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103582873B (zh) 2011-06-05 2017-07-14 苹果公司 用于显示从多个应用接收到的通知的系统和方法
WO2014143776A2 (en) 2013-03-15 2014-09-18 Bodhi Technology Ventures Llc Providing remote interactions with host device using a wireless device
US11343335B2 (en) 2014-05-29 2022-05-24 Apple Inc. Message processing by subscriber app prior to message forwarding
TWI647608B (zh) 2014-07-21 2019-01-11 美商蘋果公司 遠端使用者介面
WO2016036603A1 (en) 2014-09-02 2016-03-10 Apple Inc. Reduced size configuration interface
US10216351B2 (en) * 2015-03-08 2019-02-26 Apple Inc. Device configuration user interface
US9633659B1 (en) * 2016-01-20 2017-04-25 Motorola Mobility Llc Method and apparatus for voice enrolling an electronic computing device
JP6776023B2 (ja) * 2016-06-30 2020-10-28 キヤノン株式会社 通信装置、通信方法、及びプログラム
US10445109B2 (en) * 2016-06-30 2019-10-15 Digicert, Inc. Automated propagation of server configuration on a server cluster
FR3054056B1 (fr) * 2016-07-13 2018-06-29 Safran Identity & Security Procede de mise en relation securisee d'un premier dispositif avec un deuxieme dispositif
US10230700B2 (en) * 2016-08-09 2019-03-12 Lenovo (Singapore) Pte. Ltd. Transaction based message security
JP6746427B2 (ja) * 2016-08-10 2020-08-26 キヤノン株式会社 通信装置、通信方法、及びプログラム
SG10201609247YA (en) * 2016-11-04 2018-06-28 Huawei Int Pte Ltd System and method for configuring a wireless device for wireless network access
US11200488B2 (en) * 2017-02-28 2021-12-14 Cisco Technology, Inc. Network endpoint profiling using a topical model and semantic analysis
US20180310176A1 (en) * 2017-04-24 2018-10-25 Osram Sylvania Inc. Methods and Systems For Authenticating a Device to a Wireless Network
CN109246581A (zh) * 2017-05-17 2019-01-18 北京京东尚科信息技术有限公司 一种通信的方法和装置
EP3741142B1 (de) * 2018-01-19 2021-11-10 Telefonaktiebolaget Lm Ericsson (Publ) Verfahren und gerät zur teilung einer etablierten verbindung zwischen einem ersten gerät und einem von mehreren zweiten geräten in einem netzwerk
US10587400B2 (en) * 2018-02-12 2020-03-10 Afero, Inc. System and method for securely configuring a new device with network credentials
US10887193B2 (en) 2018-06-03 2021-01-05 Apple Inc. User interfaces for updating network connection settings of external devices
WO2019235802A1 (ko) * 2018-06-04 2019-12-12 엘지전자 주식회사 블루투스 기기를 통한 사용자 인증 방법 및 이를 위한 장치
JP6921338B2 (ja) 2019-05-06 2021-08-18 アップル インコーポレイテッドApple Inc. 電子デバイスの制限された動作
TWI714100B (zh) * 2019-05-24 2020-12-21 魏文科 利用非對稱式加密演算法建立、驗證輸入值的方法及其應用方法
DK201970533A1 (en) 2019-05-31 2021-02-15 Apple Inc Methods and user interfaces for sharing audio
US11481094B2 (en) 2019-06-01 2022-10-25 Apple Inc. User interfaces for location-related communications
US11477609B2 (en) 2019-06-01 2022-10-18 Apple Inc. User interfaces for location-related communications
CN113099451A (zh) * 2020-01-07 2021-07-09 上海诺基亚贝尔股份有限公司 用于连接到网络的方法、设备、装置和计算机可读介质
CN111327605B (zh) * 2020-01-23 2022-09-13 北京无限光场科技有限公司 传输私密信息的方法、终端、服务器和系统
CN111404950B (zh) * 2020-03-23 2021-12-10 腾讯科技(深圳)有限公司 一种基于区块链网络的信息共享方法、装置和相关设备
CN112073193B (zh) * 2020-09-07 2022-06-07 江苏徐工工程机械研究院有限公司 信息安全处理方法、装置和系统、工程车辆

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070118735A1 (en) * 2005-11-10 2007-05-24 Jeff Cherrington Systems and methods for trusted information exchange
CN101267301A (zh) * 2007-03-15 2008-09-17 上海贝尔阿尔卡特股份有限公司 通信网络中基于身份的认证和密钥协商方法及装置
CN101582906A (zh) * 2009-06-23 2009-11-18 中国人民解放军信息工程大学 密钥协商方法和装置

Family Cites Families (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2001175467A (ja) * 1999-12-07 2001-06-29 Kizna.Com Inc コンピュータのセキュリティー確保方法及びそのプログラムを記録した媒体
JP3904011B2 (ja) * 2004-09-03 2007-04-11 大豊工業株式会社 半球状シューの製造方法
US7545932B2 (en) * 2004-10-29 2009-06-09 Thomson Licensing Secure authenticated channel
WO2007018476A1 (en) * 2005-08-11 2007-02-15 Nss Msc Sdn Bhd Hybrid cryptographic approach to mobile messaging
EP1963986A2 (de) * 2005-09-28 2008-09-03 Ontela Inc. Verfahren und system zur herstellung einer dienstanwendungs-ausführungsumgebung in einem heterogenen verteilten datenverarbeitungssystem und in der dienstanwendungs-ausführungsumgebung ausgeführte benutzerfreundliche datentransfer-dienstanwendung
CN101150849B (zh) * 2006-09-18 2010-09-08 华为技术有限公司 生成绑定管理密钥的方法、系统、移动节点及通信节点
KR100872817B1 (ko) * 2006-12-07 2008-12-09 인하대학교 산학협력단 변형 디피 헬만 기반 키교환 방법
US8478988B2 (en) * 2007-05-15 2013-07-02 At&T Intellectual Property I, L.P. System and method for authentication of a communication device
JP5159700B2 (ja) * 2009-05-19 2013-03-06 キヤノン株式会社 光学装置及び焦点検出方法
US8280408B2 (en) * 2009-07-17 2012-10-02 At&T Intellectual Property I, Lp Methods, systems and computer program products for tailoring advertisements to a user based on actions taken using a portable electronic device
EP2439238B1 (de) * 2010-10-06 2012-12-05 Borealis AG Polypropylen mit Filmscharniereigenschaften

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070118735A1 (en) * 2005-11-10 2007-05-24 Jeff Cherrington Systems and methods for trusted information exchange
CN101267301A (zh) * 2007-03-15 2008-09-17 上海贝尔阿尔卡特股份有限公司 通信网络中基于身份的认证和密钥协商方法及装置
CN101582906A (zh) * 2009-06-23 2009-11-18 中国人民解放军信息工程大学 密钥协商方法和装置

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
"WiFi (Wireless Fidelity, wireless fidelity", 1997, WIRELESS LOCAL AREA NETWORK STANDARD IEEE802.11
See also references of EP3065334A4

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2018525939A (ja) * 2015-08-24 2018-09-06 華為技術有限公司Huawei Technologies Co.,Ltd. セキュリティ認証方法、構成方法、および関連デバイス
US11343104B2 (en) 2015-08-24 2022-05-24 Huawei Technologies Co., Ltd. Method for establishing secured connection, and related device
US20230198768A1 (en) * 2020-11-10 2023-06-22 Okta, Inc. Efficient transfer of authentication credentials between client devices
US11943366B2 (en) * 2020-11-10 2024-03-26 Okta, Inc. Efficient transfer of authentication credentials between client devices

Also Published As

Publication number Publication date
CN105723648A (zh) 2016-06-29
EP3065334A1 (de) 2016-09-07
EP3065334A4 (de) 2016-11-09
AU2013404506A1 (en) 2016-06-02
JP2016540462A (ja) 2016-12-22
CN105723648B (zh) 2019-06-18
CA2929173A1 (en) 2015-05-07
US20160269176A1 (en) 2016-09-15
KR20160078475A (ko) 2016-07-04

Similar Documents

Publication Publication Date Title
WO2015061992A1 (zh) 一种密钥配置方法、系统和装置
WO2015061941A1 (zh) 一种密钥配置方法和装置
WO2017039320A1 (ko) 통신 시스템에서 프로파일 다운로드 방법 및 장치
WO2016178548A1 (ko) 프로파일 제공 방법 및 장치
WO2016163796A1 (en) Method and apparatus for downloading a profile in a wireless communication system
WO2019050325A1 (en) METHOD AND APPARATUS FOR SUPPORTING PROFILE TRANSFER BETWEEN DEVICES IN A WIRELESS COMMUNICATION SYSTEM
WO2016167536A1 (en) Method and apparatus for managing a profile of a terminal in a wireless communication system
WO2016167551A1 (ko) 통신 시스템에서 프로파일을 관리하는 기법
WO2018135919A1 (en) Apparatus and method for providing and managing security information in communication system
WO2020171672A1 (en) Method for interoperating between bundle download process and esim profile download process by ssp terminal
WO2021167399A1 (en) Apparatus and method of generating application specific keys using key derived from network access authentication
EP3284274A1 (de) Verfahren und vorrichtung zur verwaltung eines profils eines endgeräts in einem drahtloskommunikationssystem
WO2015027485A1 (zh) 远程变更签约方法及其装置
EP3520363A1 (de) Vorrichtung und verfahren zur bereitstellung und verwaltung von sicherheitsinformationen in einem kommunikationssystem
WO2020080909A1 (en) Method and apparatus for handling remote profile management exception
WO2019216739A1 (en) Security protection method and apparatus in wireless communication system
WO2019107876A1 (en) Method and apparatus for managing event in communication system
WO2022045789A1 (en) Method and apparatus for recovering profile in case of device change failure
EP3854115A1 (de) Verfahren und vorrichtung zur handhabung einer fernprofilverwaltungsausnahme
WO2019235802A1 (ko) 블루투스 기기를 통한 사용자 인증 방법 및 이를 위한 장치
WO2022149874A1 (en) Method and system of authentication and authorization in an msgin5g server
WO2018004303A1 (ko) 블루투스 기술을 사용하는 장치의 인증 방법 및 장치
WO2016048054A2 (ko) 데이터 통신 보안을 위한 방법, 장치 및 시스템
WO2020184995A1 (ko) Euicc 단말을 변경하는 방법 및 장치
WO2022158731A1 (ko) 데이터 패스를 셋업하는 전자 장치 및 그 동작 방법

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 13896341

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2929173

Country of ref document: CA

ENP Entry into the national phase

Ref document number: 2016550902

Country of ref document: JP

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

REEP Request for entry into the european phase

Ref document number: 2013896341

Country of ref document: EP

WWE Wipo information: entry into national phase

Ref document number: 2013896341

Country of ref document: EP

ENP Entry into the national phase

Ref document number: 20167014319

Country of ref document: KR

Kind code of ref document: A

ENP Entry into the national phase

Ref document number: 2013404506

Country of ref document: AU

Date of ref document: 20131030

Kind code of ref document: A

REG Reference to national code

Ref country code: BR

Ref legal event code: B01A

Ref document number: 112016009744

Country of ref document: BR

ENP Entry into the national phase

Ref document number: 112016009744

Country of ref document: BR

Kind code of ref document: A2

Effective date: 20160429